METHODS

published: 05 November 2019

doi: 10.3389/fbloc.2019.00017

A Decentralized Digital Identity

Architecture
Geoff Goodell* and Tomaso Aste

Centre for Blockchain Technologies, University College London, London, United Kingdom

Current architectures to validate, certify, and manage identity are based on centralized,
top-down approaches that rely on trusted authorities and third-party operators. We
approach the problem of digital identity starting from a human rights perspective, with
a primary focus on identity systems in the developed world. We assert that individual
persons must be allowed to manage their personal information in a multitude of different
ways in different contexts and that to do so, each individual must be able to create
multiple unrelated identities. Therefore, we first define a set of fundamental constraints
that digital identity systems must satisfy to preserve and promote privacy as required for
individual autonomy. With these constraints in mind, we then propose a decentralized,
standards-based approach, using a combination of distributed ledger technology and
thoughtful regulation, to facilitate many-to-many relationships among providers of key
services. Our proposal for digital identity differs from others in its approach to trust in
that we do not seek to bind credentials to each other or to a mutually trusted authority
to achieve strong non-transferability. Because the system does not implicitly encourage
Edited by:
Andrej Zwitter, its users to maintain a single aggregated identity that can potentially be constrained or
University of Groningen, Netherlands reconstructed against their interests, individuals and organizations are free to embrace
Reviewed by: the system and share in its benefits.
Nichola Cooper,
University of the Sunshine Coast, Keywords: identity, privacy, distributed ledgers, authentication/authorization, unlinkability, self-sovereign identity,
Australia early binding, tokens
Raul Zambrano,
Independent Researcher, New York,
NY, United States 1. INTRODUCTION AND SCOPE
*Correspondence:
Geoff Goodell The past decade has seen a proliferation of new initiatives to create digital identities for natural
[email protected] persons. Some of these initiatives, such as the ID4D project sponsored by The World Bank (2019)
and the Rohingya Project (2019) involve a particular focus in the humanitarian context, while
Specialty section: others, such as Evernym (2019) and ID2020 (2019) have a more general scope that includes
This article was submitted to
identity solutions for the developed world. Some projects are specifically concerned with the
Blockchain for Good,
rights of children (5rights Foundation, 2019). Some projects use biometrics, which raise certain
a section of the journal
Frontiers in Blockchain ethical concerns (Pandya, 2019). Some projects seek strong non-transferability, either by linking all
credentials related to a particular natural person to a specific identifier, to biometric data, or to each
Received: 13 August 2019
other, as is the case for the anonymous credentials proposed by Camenisch and Lysyanskaya (2001).
Accepted: 17 October 2019
Published: 05 November 2019 Some projects have design objectives that include exceptional access (“backdoors”) for authorities,
which are widely considered to be problematic (Abelson et al., 1997, 2015; Benaloh et al., 2018).
Citation:
Goodell G and Aste T (2019) A
Although this article shall focus on challenges related to identity systems for adult persons in
Decentralized Digital Identity the developed world, we argue that the considerations around data protection and personal data
Architecture. Front. Blockchain 2:17. that are applicable in the humanitarian context, such as those elaborated by the International
doi: 10.3389/fbloc.2019.00017 Committee of the Red Cross (Kuner and Marelli, 2017; Stevens et al., 2018), also apply to the

Frontiers in Blockchain | www.frontiersin.org 1 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

general case. We specifically consider the increasingly section 7, we suggest some potential use cases, and in section 8
commonplace application of identity systems “to facilitate we conclude.
targeting, profiling and surveillance” by “binding us to our
recorded characteristics and behaviors” (Privacy International, 2. BACKGROUND
2019). Although we focus primarily upon the application
of systems for digital credentials to citizens of relatively Establishing meaningful credentials for individuals and
wealthy societies, we hope that our proposed architecture organizations in an environment in which the various authorities
might contribute to the identity zeitgeist in contexts such as are not uniformly trustworthy presents a problem for currently
humanitarian aid, disaster relief, refugee migration, and the deployed services, which are often based on hierarchical trust
special interests of children as well. networks, all-purpose identity cards, and other artifacts of the
We argue that while requiring strong non-transferability surveillance economy. In the context of interactions between
might be appropriate for some applications, it is inappropriate natural persons, identities are neither universal nor hierarchical,
and dangerous in others. Specifically, we consider the and a top-down approach to identity generally assumes that it
threat posed by mass surveillance of ordinary persons is possible to impose a universal hierarchy. Consider “Zooko’s
based on their habits, attributes, and transactions in the triangle,” which states that names can be distributed, secure, or
world. Although the governments of Western democracies human-readable, but not all three (Wilcox-O’Hearn, 2018). The
might be responsible for some forms of mass surveillance, stage names of artists may be distributed and human-readable
for example via the recommendations of Financial but are not really secure since they rely upon trusted authorities
Action Task Force (2018) or various efforts to monitor to resolve conflicts. The names that an individual assigns to
Internet activity (Parliament of the United Kingdom, friends or that a small community assigns to its members
2016; Parliament of Australia, 2018), the siren song (“petnames,” Stiegler, 2005) are secure and human-readable but
of surveillance capitalism (Zuboff, 2015), including the not distributed. We extend the reasoning behind the paradox
practice of “entity resolution” through aggregation and data to the problem of identity itself and assert that the search
analysis (Waldman et al., 2018), presents a particular risk to for unitary identities for individual persons is problematic.
human autonomy. It is technically problematic because there is no endogenous
We suggest that many “everyday” activities such as the way to ensure that an individual has only one self-certifying
use of library resources, public transportation services, and name (Douceur, 2002), there is no way to be sure about the
mobile data services are included in a category of activities trustworthiness or universality of an assigned name, and there
for which strong non-transferability is not necessary and for is no way to ensure that an individual exists only within one
which there is a genuine need for technology that explicitly specific community. More importantly, we assert that the ability
protects the legitimate privacy interests of individual persons. to manage one’s identities in a multitude of different contexts,
We argue that systems that encourage individual persons including the creation of multiple unrelated identities, is an
to establish a single, unitary1 avatar (or “master key”) for essential human right.
use in many contexts can ultimately influence and constrain
how such persons behave, and we suggest that if a link 2.1. Manufacturing Trust
between two attributes or transactions can be proven, then it The current state-of-the-art identity systems, from technology
can be forcibly discovered. We therefore argue that support platforms to bank cards, impose asymmetric trust relationships
for multiple, unlinkable identities is an essential right and and contracts of adhesion on their users, including both
a necessity for the development of a future digital society the ultimate users as well as local authorities, businesses,
for humans. cooperatives, and community groups. Such trust relationships,
This rest of this article is organized as follows. In the next often take the form of a hierarchical trust infrastructure,
section section, we offer some background on identity systems; requiring that users accept either a particular set of trusted
we frame the problem space and provide examples of existing certification authorities (“trust anchors”) or identity cards with
solutions. In section 3, we introduce a set of constraints that serve private keys generated by a trusted third party. In such cases, the
as properties that a digital identity infrastructure must have to systems are susceptible to socially destructive business practices,
support human rights. In section 4, we describe how a digital corrupt or unscrupulous operators, poor security practices, or
identity system with a fixed set of actors might operate and how it control points that risk coercion by politically or economically
might be improved. In section 5, we introduce distributed ledger powerful actors. Ultimately, the problem lies in the dubious
technology to promote a competitive marketplace for issuers and assumption that some particular party or set of parties are
verifiers of credentials and to constrain the interaction between universally considered trustworthy.
participants in a way that protects the privacy of individual users. Often, asymmetric trust relationships set the stage for security
In section 6, we consider how the system should be operated and breaches. Rogue certification authorities constitute a well-
maintained if it is to satisfy the human rights requirements. In known risk, even to sophisticated government actors (Charette,
2016; Vanderburg, 2018), and forged signatures have been
1 In the context of personal identity, use the term unitary to refer to attributes,
responsible for a range of cyber-attacks including the Stuxnet
transactions, or identifiers for which an individual can have at most one and that worm, an alleged cyber-weapon believed to have caused
are, for practical purposes, inseparably bound to their subject. damage to Iran’s nuclear programme (Kushner, 2013), as

Frontiers in Blockchain | www.frontiersin.org 2 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

well as a potential response to Stuxnet by the government of

Iran (Eckersley, 2011). Corporations that operate the largest
trust anchors have proven to be vulnerable. Forged credentials
were responsible for the Symantec data breach (Goodin,
2017a), and other popular trust anchors such as Equifax
are not immune to security breaches (Equifax Inc, 2018).
Google has published a list of certification authorities
that it thinks are untrustworthy (Chirgwin, 2016), and IT
administrators have at times undermined the trust model
that relies upon root certification authorities (Slashdot, 2014). FIGURE 1 | Many network services are centralized in the sense that
participants rely upon a specific platform operator to make use of the service
Finally, even if their systems are secure and their operators are
(Left), whereas distributed ledgers rely upon network consensus among
upstanding, trust anchors are only as secure as their ability to participants instead of platform operators (Right).
resist coercion, and they are sometimes misappropriated by
governments (Bright, 2010).
Such problems are global, affecting the developed world
and emerging economies alike. Identity systems that rely upon that systems without exceptional access features are dangerous.
a single technology, a single implementation, or a single set Finally, of particular concern are systems that rely upon
of operators have proven unreliable (Goodin, 2017b,c; Moon, biometrics for identification. By binding identification to a
2017). Widely-acclaimed national identity systems, including characteristic that users (and in most cases even governments)
but not limited to the Estonian identity card system based on cannot change, biometrics implicitly prevent a user from
X-Road (Thevoz, 2016) and Aadhaar in India (Tully, 2017), transacting within a system without connecting each transaction
are characterized by centralized control points, security risks, to each other and potentially to a permanent record. In recent
and surveillance. years, a variety of US patents have been filed and granted
Recent trends in technology and consumer services suggest for general-purpose identity systems that rely upon biometric
that concerns about mobility and scalability will lead to the data to create a “root” identity linking all transactions in this
deployment of systems for identity management that identify manner (Liu et al., 2008; Thackston, 2018).
consumers across a variety of different services, with a new
marketplace for providers of identification services Wagner 2.2. Approaches Using Distributed Ledgers
(2014). In general, the reuse of credentials has important privacy The prevailing identity systems commonly require users to accept
implications as a consumer’s activities may be tracked across third parties as trustworthy. The alternative to imposing new
multiple services or multiple uses of the same service. For trust relationships is to work with existing trust relationships
this reason, the potential for a system to collect and aggregate by allowing users, businesses, and communities to deploy
transaction data must be evaluated whilst evaluating its impact technology on their own terms, independently of external
on the privacy of its users. service providers. In this section we identify various groups
While data analytics are becoming increasingly effective in that have adopted a system-level approach to allow existing
identifying and linking the digital trails of individual persons, institutions and service providers to retain their relative authority
it has become correspondingly necessary to defend the privacy and decision-making power without forcibly requiring them
of individual users and implement instruments that allow to cooperate with central authorities (such as governments
and facilitate anonymous access to services. This reality was and institutions), service providers (such as system operators),
recognized by the government of the United Kingdom in or the implementors of core technology. We suggest that
the design of its GOV.UK Verify programme (Government ideally, a solution would not require existing institutions and
Digital Service, 2018), a federated network of identity providers service providers to operate their own infrastructure without
and services. However, the system as deployed has significant relying upon a platform operator, while concordantly allowing
technical shortcomings with the potential to jeopardize the groups such as governments and consultants to act as advisors,
privacy of its users (Brandao et al., 2015; Whitley, 2018), regulators, and auditors, not operators. A distributed ledger
including a central hub and vulnerabilities that can be exploited can serve this purpose by acting as a neutral conduit among
to link individuals with the services they use (O’Hara et al., 2011). its participants, subject to governance limitations to ensuring
Unfortunately, not only do many of the recently-designed neutrality and design limitations around services beyond the
systems furnish or reveal data about their users against their operation of the ledger that are required by participants. Figure 1
interests, but they have been explicitly designed to do so. offers an illustration.
For example, consider digital rights management systems that Modern identity systems are used to coordinate three
force users to identify themselves ex ante and then use digital activities: identification, authentication, and authorization. The
watermarks to reveal their identities (Thomas, 2009). In some central problem to address is how to manage those functions in
cases, demonstrable privacy has been considered an undesirable a decentralized context with no universally trusted authorities.
feature and designs that protect the user’s identity intrinsically Rather than trying to force all participants to use a specific new
are explicitly excluded, for example in the case of vehicular ad- technology or platform, we suggest using a multi-stakeholder
hoc networks (Shuhaimi and Juhana, 2012), with the implication process to develop common standards that define a set of

Frontiers in Blockchain | www.frontiersin.org 3 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

rules for interaction. Any organization would be able to require users to bind together their credentials ex ante3
develop and use their own systems that would interoperate to achieve non-transferability, essentially following a design
with those developed by any other organization without seeking proposed by Camenisch and Lysyanskaya (2001) that establishes
permission from any particular authority or agreeing to deploy a single “master key” that allows each user to prove that all
any particular technology. of her credentials are related to each other. Figure 2 offers an
A variety of practitioners have recently proposed using a illustration. Even if users were to have the option to establish
distributed ledger to decentralize the administration of an multiple independent master keys, service providers or others
identity system (Dunphy and Petitcolas, 2018), and we agree that could undermine that option by requiring proof of the links
the properties of distributed ledger technologies are appropriate among their credentials.
for the task. In particular, distributed ledgers allow their The concept of an individual having “multiple identities” is
participants to share control of the system. They also provide potentially confusing, so let us be clear. In the context of physical
a common view of transactions ensuring that everyone sees the documents in the developed world, natural persons generally
same transaction history. possess multiple identity documents already, including but not
Various groups have argued that distributed ledgers might be limited to passports, driving licenses, birth certificates, bank
used to mitigate the risk that one powerful, central actor might cards, insurance cards, and so on. Although individuals might
seize control under the mantle of operational efficiency. However, not think of these documents and the attributes they represent as
it is less clear that this lofty goal is achieved in practice. Existing constituting multiple identities, the identity documents generally
examples of DLT-enabled identity management systems backed stand alone for their individual, limited purposes and need not
by organizations include the following, among others: be presented as part of a bundled set with explicit links between
the attributes. Service providers might legitimately consider
• ShoCard SITA (2016) is operated by a commercial entity
two different identity documents as pertaining to two different
that serves as a trusted intermediary (Dunphy and Petitcolas,
individuals, even whilst they might have been issued to the same
2018).
person. A system that links together multiple attributes via early-
• Everest Everest (2019) is designed as a payment solution
binding eliminates this possibility. When we refer to “multiple
backed by biometric identity for its users. The firm behind
identities” we refer to records of attributes or transactions that are
Everest manages the biometric data and implicitly requires
not linked to each other. Users of identity documents might be
natural persons to have at most one identity within the
willing to sacrifice this aspect of control in favor of convenience,
system (Graglia et al., 2018).
but the potential for blacklisting and surveillance that early-
• Evernym (2019) relies on a foundation ( Tobin and
binding introduces is significant. It is for this reason that we
Reed, 2016) to manage the set of approved certification
take issue with the requirement, advised by various groups
authorities (Aitken, 2018), and whether the foundation could
including the (International Telecommunications Union, 2018),
manage the authorities with equanimity remains to be tested.
that individuals must not possess more than one identity. Such a
• ID2020 (2019) offers portable identity using biometrics to
requirement is neither innocuous nor neutral.
achieve strong non-transferability and persistence (ID2020
Table 1 summarizes the landscape of prevailing digital
Alliance, 2019).
identity solutions. We imagine that the core technology
• uPort Lundkvist et al. (2016) does not rely upon a central
underpinning these and similar approaches might be adapted
authority, instead allowing for mechanisms such as social
to implement a protocol that is broadly compatible with what
recovery. However, its design features an optional central
we describe in this article. However, we suspect that in practice
registry that might introduce a means of linking together
they would need to be modified to encourage users to establish
transactions that users would prefer to keep separate (Dunphy
multiple, completely independent identities. In particular, service
and Petitcolas, 2018). The uPort architecture is linked to phone
providers would not be able to assume that users have bound
numbers and implicitly discourages individuals from having
their credentials to each other ex ante, and if non-transferability
multiple identities within the system (Graglia et al., 2018).
is required, then the system would need to achieve it in a
Researchers have proposed alternative designs to address different way.
some of the concerns. A design suggested by Kaaniche and
Laurent does not require a central authority for its blockchain 2.3. Participants in an Identity System
infrastructure but does require a trusted central entity for its We shall use the following notation to represent the various
key infrastructure (Kaaniche and Laurent, 2017). Coconut, the parties that interact with a typical identity system:
selective disclosure credential scheme used by Chainspace (2019),
• (1) A “certification provider” (CP). This would be an entity
is designed to be robust against malicious authorities and may
or organization responsible for establishing a credential based
be deployed in a way that addresses such concerns (Sonnino
upon foundational data. The credential can be used as a form
et al., 2018)2 . We find that many systems such as these
of identity and generally represents that the organization has

3 We use the term early-binding to refer to systems that establish provable

relationships between transactions, attributes, identifiers, or credentials before they

2 Chainspace was acquired by Facebook in early 2019, and its core technology are used. We use the term late-binding to refer to systems that allow their users to
subsequently became central to the Libra platform (Field, 2019; Heath, 2019). establish such relationships at the time of use.

Frontiers in Blockchain | www.frontiersin.org 4 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

FIGURE 2 | Consider that individual persons possess credentials representing a variety of attributes (Left), and schemes that attempt to achieve strong
non-transferability seek to bind these attributes together into a single, unitary “avatar” or “master” identity (Right).

TABLE 1 | A characterization of the landscape of digital identity solutions, with examples.

Name Objectives Concerns

Government-operated solutions
Estonian ID-Card Interoperability, assurance Centralized governance, surveillance
Aadhaar (India) Interoperability, assurance Centralized governance, surveillance
GOV.UK Verify Federated management Central hub, surveillance
Privately-operated solutions
ShoCard Strong non-transferability, auditability Commercial entity is a trusted intermediary, commercial entity stores biometric data
Everest Strong non-transferability, digital payments Commercial entity stores biometric data
ID2020 Portability, persistence, strong non-transferability Identities are unitary through use of biometrics
Evernym Federated management Private foundation has an operational role
Kaaniche/Laurent Hierarchical management Requires an agreed-upon hierarchy with trusted authority
Decentralized architectures
uPort Federated governance and management Identities become unitary through early-binding or similar mechanisms
Chainspace Federated governance and management Identities become unitary through early-binding or similar mechanisms

checked the personal identity of the user in some way. In the In addition, a well-known authentication provider is willing
context of digital payments, this might be a bank. to accept certifications from the bank, and the consular office
• (2) An “authentication provider” (AP). This would be any accepts signed statements from that authentication provider.
entity or organization that might be trusted to verify that Thus, the user can first ask the bank to sign a statement certifying
a credential is valid and has not been revoked. In current that he is domiciled in the region in question. When the consular
systems, this function is typically performed by a platform office asks for proof of domicile, the user can present the signed
or network, for example a payment network such as those statement from the bank to the authentication provider and ask
associated with credit cards. the authentication provider to sign a new statement vouching for
• (3) An “end-user service provider” (Service). This would be a the user’s region of domicile, using information from the bank
service that requires a user to provide credentials. It might be as a basis for the statement, without providing any information
a merchant selling a product, a government service, or some related to the bank to the consular office.
other kind of gatekeeper, for example a club or online forum.
• (4) A user (user). This would be a human operator, in
most cases aided by a device or a machine, whether acting
3. DESIGN CONSTRAINTS FOR PRIVACY
independently or representing an organization or business. AS A HUMAN RIGHT
As an example of how this might work, suppose that a user Reflecting on the various identity systems used today, including
wants to make an appointment with a local consular office. The but not limited to residence permits, bank accounts, payment
consular office wants to know that a user is domiciled in a cards, transit passes, and online platform logins, we observed
particular region. The user has a bank account with a bank that a plethora of features with weaknesses and vulnerabilities
is willing to certify that the user is domiciled in that region. concerning privacy (and in some cases security) that could

Frontiers in Blockchain | www.frontiersin.org 5 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

potentially infringe upon human rights. Although the 1948

Universal Declaration on Human Rights explicitly recognizes
privacy as a human right (United Nations, 1948), the declaration
was drafted well before the advent of a broad recognition of
the specific dangers posed by the widespread use of computers
for data aggregation and analysis (Armer, 1975), to say nothing
of surveillance capitalism (Zuboff, 2015). Our argument that FIGURE 3 | A schematic representation of a generalized identity system.
Users first establish a credential with the system, then use the system to verify
privacy in the context of digital identity is a human right,
the credential, and then use the verified identity to assert that they are
therefore, rests upon a more recent consideration of the human authorized to receive a service.
rights impact of the abuse of economic information (European
Parliament, 1999). With this in mind, we identified the following
eight fundamental constraints to frame our design requirements
for technology infrastructure (Goodell and Aste, 2018): Monopoly infrastructure is problematic not only because it
deprives its users of consumer surplus but also because it
Structural requirements: empowers the operator to dictate the terms by which the
1. Minimize control points that can be used to co-opt the system. infrastructure can be used.
A single point of trust is a single point of failure, and both state 7. Empower local businesses and cooperatives to establish their
actors and technology firms have historically been proven to own trust relationships. The opportunity to establish trust
abuse such trust. relationships on their own terms is important both for
2. Resist establishing potentially abusive processes and practices, businesses to compete in a free marketplace and for
including legal processes, that rely upon control points. businesses to act in a manner that reflects the interests of
Infrastructure that can be used to abuse and control their communities.
individual persons is problematic even if those who oversee 8. Empower service providers to establish their own business
its establishment are genuinely benign. Once infrastructure is practices and methods. Providers of key services must
created, it may in the future be used for other purposes that adopt practices that work within the values and context of
benefit its operators. their communities.

Human requirements: These constraints constitute a set of system-level requirements,

involving human actors, technology, and their interaction, not
3. Mitigate architectural characteristics that lead to mass to be confused with the technical requirements that have been
surveillance of individual persons. Mass surveillance is characterized as essential to self-sovereign identity (SSI) (Stevens
about control as much as it is about discovery: people et al., 2018). Although our design objectives may overlap with the
behave differently when they believe that their activities design objectives for SSI systems, we seek to focus on system-level
are being monitored or evaluated (Mayo, 1945). Powerful outcomes. While policy changes at the government level might
actors sometimes employ monitoring to create incentives be needed to fully achieve the vision suggested by some of the
for individual persons, for example to conduct marketing requirements, we would hope that a digital identity system would
promotions or credit scoring operations. Such incentives not contain features that intrinsically facilitate their violation.
may prevent individuals from acting autonomously, and the Experience shows that control points will eventually be co-
chance to discover irregularities, patterns, or even misbehavior opted by powerful parties, irrespective of the intentions of those
often does not justify such mechanisms of control. who build, own, or operate the control points. Consider, for
4. Do not impose non-consensual trust relationships upon example, how Cambridge Analytica allegedly abused the data
beneficiaries. It is an act of coercion for a service provider assets of Facebook Inc to manipulate voters in Britain and the
to require a client to maintain a direct trust relationship US (Koslowska et al., 2018) and how the Russian government
with a specific third-party platform provider or certification asserted its influence on global businesses that engaged in
authority. Infrastructure providers must not explicitly or domain-fronting (Lunden, 2018; Savov, 2018). The inherent risk
implicitly engage in such coercion, which should be that centrally aggregated datasets may be abused, not only by the
recognized for what it is and not tolerated in the name of parties doing the aggregating but also by third parties, implies
convenience. value in system design that avoids control points and trusted
5. Empower individual users to manage the linkages among infrastructure operators, particularly when personal data and
their activities. To be truly free and autonomous, individuals livelihoods are involved.
must be able to manage the cross sections of their activities,
attributes, and transactions that are seen or might be
discovered by various institutions, businesses, and state actors. 4. A DIGITAL IDENTITY SYSTEM
Economic requirements:
Various digital identity architectures and deployments exist today
6. Prevent solution providers from establishing a monopoly to perform the three distinct functions we mentioned earlier:
position. Some business models are justified by the identification, authentication, and authorization (Riley, 2006).
opportunity to achieve status as monopoly infrastructure. We introduce a fourth function, auditing, by which the basis for

Frontiers in Blockchain | www.frontiersin.org 6 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

judgements made by the system can be explained and evaluated. TABLE 2 | Notation used in the subsequent figures.
We characterize the four functions as follows:
Request A request for a credential.
• IDENTIFICATION. A user first establishes some kind of Request x A request for a credential with a parameter, x.
credential or identifier. The credential might be a simple A(m) A message m signed by party A.
registration, for example with an authority, institution, or Identify The foundational identifying elements that a user presents to
other organization. In other cases, it might imply a particular a certification provider, encrypted so that other parties
attribute. The implication might be implicit, as a passport (including AP) cannot read them.

might imply citizenship of a particular country or a credential Revoke-one A message invalidating an earlier signature on a specific user
credential.
issued by a bank might imply a banking relationship, or
Revoke-all A message invalidating all signatures by a certain key.
it might be explicit, as in the style of attribute-backed
[m] Blinded version of message m.
credentials (Camenisch and Lysyanskaya, 2003; IBM Research
A([m]) Blind signature of m by A.
Zurich, 2018)4 .
Prove-owner x∗ Proof of ownership of some private key x∗ , for example via a
• AUTHENTICATION. Next, when the provider of a service seeks
challenge-response (which would imply two extra messages
to authenticate a user, the user must be able to verify that a not shown) or by using the key to sign a pre-existing secret
credential in question is valid. created by the recipient and shared with the sender.
• AUTHORIZATION. Finally, the user can use the authenticated Request-certs A A request for all of the certificates on the ledger signed by A,
credential to assert to the service provider that she is entitled followed by a response containing all of the matching
to a particular service. certificates.
• AUDITING. The identity system would maintain record of the Receipt Response from the distributed ledger system indicating that a
establishment, expiration, and revocation of credentials such transaction
that the success or failure of any given authentication request completed successfully.
can be explained. Object Physical, tamper-resistant object containing a unique receipt
for a transaction.
Ultimately, it is the governance of a digital identity system,
including its intrinsic policies and mechanisms as well as the
accountability of the individuals and groups who control its
operation, that determines whether it empowers or enslaves its
users. We suggest that proper governance, specifically including a
unified approach to the technologies and policies that the system
comprises, is essential to avoiding unintended consequences to FIGURE 4 | A stylized schematic representation of the SecureKey Concierge
(SKC) system. The parties are represented by the symbols “CP,” “AP,” “User,”
its implementation. We address some of these issues further in
and “Service,” and the arrows represent messages between the parties. The
section 6. numbers associated with each arrow show the sequence, and the symbol
Figure 3 gives a pictorial representation of the functions. following the number represents the contents of a message. First, the service
Table 2 defines the notation that we shall use in our figures. provider (Service) requests authorization from the user, who in turn sends
With the constraints enumerated in section 3 taken as design identifying information to the authentication provider (AP) to share with the
certification provider (CP). If the CP accepts the identifying information, it
requirements, we propose a generalized architecture that achieves
sends a signed credential u to the AP, which in turn issues a new credential u′
our objectives for an identity system. The candidate systems for consumption by the Service, which can now authorize the user.
identified in section 2 can be evaluated by comparing their
features to our architecture. Since we intend to argue for a
practical solution, we start with a system currently enjoying
widespread deployment.
such as Anti-Money Laundering (AML) and “Know Your
Customer” (KYC) regulations that broadly deputize banks
4.1. SecureKey Concierge and substantially all financial institutions (GOV.UK, 2014)
As a baseline example of an identity framework, we consider to collect identifying information on the various parties that
a system that uses banks as certification providers whilst make use of their services, establish the expected pattern for
circumventing the global payment networks. SecureKey the transactions that will take place over time, and monitor
Concierge (SKC) (SecureKey Technologies, Inc, 2015) is a the transactions for anomalous activity inconsistent with the
solution used by the government of Canada to provide users expectations (Better Business Finance, 2017).
with access to its various systems in a standard way. The SKC 2. Isolate service providers from personally identifying bank
architecture seeks the following benefits: details and eliminate the need to share specific service-
1. Leverage existing “certification providers” such as banks and related details with the certification provider, whilst
other financial institutions with well-established, institutional avoiding traditional authentication service providers such as
procedures for ascertaining the identities of their customers. payment networks.
Often such procedures are buttressed by legal frameworks Figure 4 offers a stylized representation of the SKC architecture,
as interpreted from its online documentation (SecureKey
4 We do not describe how to use attribute-backed credentials here. Technologies, Inc, 2015). When a user wants to access a

Frontiers in Blockchain | www.frontiersin.org 7 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

service, the service provider sends a request to the user (1)5 between service providers and the certification providers used
for credentials. The user then sends encrypted identifying by individuals to request services. It is also implicitly trusted
information (for example, bank account login details) to the to manage all of the certification tokens, and there is no way
authentication provider (2), which in this case is SKC, which to ensure that it does not choose them in a way that discloses
then forwards it to the certification provider (3). Next, the information to service providers or certification providers. In
certification provider responds affirmatively with a “meaningless particular, users need to trust the authentication provider to
but unique” identifier u representing the user, and sends it to use identifiers that do not allow service providers to correlate
the authentication provider (4). The authentication provider then their activities, and users may also also want to use different
responds by signing its own identifier u′ representing the user identifiers from time to time to communicate with the same
and sending the message to the user (5), which in turn passes service provider. As a monopoly platform, it also has the ability
it along to the service provider (6). At this point the service to tax or deny service to certification providers, users, or service
provider can accept the user’s credentials as valid. The SKC providers according to its own interests, and it serves as a
documentation indicates that SKC uses different, unlinked values single point of control vulnerable to exploitation. For all of
of u′ for each service provider. these reasons, we maintain that the SKC architecture remains
problematic from a public interest perspective.
4.2. A Two-Phase Approach
We might consider modifying the SKC architecture so that the 4.3. A User-Oriented Identity Architecture
user does not need to log in to the CP each time it requests a In the architecture presented in section 4.2, the authentication
service. To achieve this, we divide the protocol into two phases, provider occupies a position of control. In networked systems,
as shown in Figure 5: a setup phase (Figure 5A) in which a control points confer economic advantages on those who occupy
user establishes credentials with an “certification provider” (CP) them (Value Chain Dynamics Working Group (VCDWG), 2005),
for use with the service, and an operating phase (Figure 5B) in and the business incentives associated with the opportunity
which a user uses the credentials in an authentication process to build platform businesses around control points have been
with a service provider. So, the setup phase is done once, used to justify their continued proliferation (Ramakrishnan and
and the operating phase is done once per service request. In Selvarajan, 2017).
the setup phase, the user first sends authentication credentials, However, control points also expose consumers to risk, not
such as those used to withdraw money from a bank account, only because the occupier of the control point may abuse its
to an authentication provider (1). The authentication provider position but also because the control point itself creates a vector
then uses the credentials to authenticate to the certification for attack by third parties. For both of these reasons, we seek
provider (2), which generates a unique identifier u that can to prevent an authentication provider from holding too much
be used for subsequent interactions with service providers and information about users. In particular, we do not want an
sends it to the authentication provider (3), which forwards it to authentication provider to maintain a mapping between a user
the user (4). Then, in the operating phase, a service provider and the particular services that a user requests, and we do not
requests credentials from the user (5), which in turn uses the want a single authentication provider to establish a monopoly
previously established unique identifier u to request credentials position in which it can dictate the terms by which users and
from the authentication provider (6). This means that the user service providers interact. For this reason, we put the user, and
would implicitly maintain a relationship with the authentication not the authentication provider, in the center of the architecture.
provider, including a way to log in. The authentication provider
then verifies that the credentials have not been revoked by the 4.4. Isolation Objectives
certification provider. The process for verifying that the CP For a user to be certain that she is not providing a channel by
credential is still valid may be offline, via a periodic check, or which authentication providers can leak her identity or by which
online, either requiring the AP to reach out to the AP when service providers can trace her activity, then she must isolate the
it intends to revoke a credential or requiring the AP to send a different participants in the system. The constraints allow us to
request to the CP in real-time. In the latter case, the AP is looking define three isolation objectives as follows:
only for updates on the set of users who have been through the
setup phase, and it does not need to identify which user has made 1. Have users generate unlinked identifiers on devices that they
a request. Once the AP is satisfied, it sends a signed certification own and trust. Unless they generate the identifiers themselves,
of its identifier u′ to the user (7), which forwards it to the service users have no way of knowing for sure whether identifiers
provider as before (8). assigned to them do not contain personally identifying
Unfortunately, even if we can avoid the need for users to log in information. For users to verify that the identifiers will not
to the CP every time they want to use a service, the authentication disclose information that might identify them later, they
provider itself serves as a trusted third party. Although the SKC would need to generate random identifiers using devices and
architecture may eliminate the need to trust the existing payment software that they control and trust. We suggest that for a
networks, the authentication provider maintains the mapping user to trust a device, its hardware and software must be of
an open-source, auditable design with auditable provenance.
5 The numbers in italics correspond to messages in the figure indicated, in this case Although we would not expect that most users would be
(Figure 4). able to judge the security properties of the devices they use,

Frontiers in Blockchain | www.frontiersin.org 8 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

FIGURE 5 | A schematic representation of a modified version of the SKC system with a stateful authentication provider and one-time identifiers for services. The user
first establishes credentials in the setup phase (A). Then, when a service provider requests credentials from the user in the operating phase (B), the user reaches out
to the authentication provider for verification, which assigns a different identifier u′ each time.

open-source communities routinely provide mechanisms by Figure 6A depicts the new setup phase. First, on her own
which users without specialized knowledge can legitimately trusted hardware (see section 4.4), the user generates her own
conclude, before using new hardware or software, that a set of identifiers x1 , ..., xn that she intends to use, at most once
diverse community of experts have considered and approved each, in future correspondence with the authentication provider.
the security aspects of the technology. Examples of such Generating the identifiers is not computationally demanding and
communities include Debian (Software in the Public Interest, can be done with an ordinary smartphone. By generating her own
Inc, 2019) for software and (Arduino, 2019) for hardware, and identifiers, the user has better control that nothing encoded in
trustworthy access to these communities might be offered by the identifiers that might reduce her anonymity. The user then
local organizations such as libraries or universities. sends both its identifying information and the identifiers x1 , ..., xn
2. Ensure that authentication providers do not learn about the to the certification provider (1). The certification provider then
user’s identity or use of services. Authentication providers responds with a set of signatures corresponding to each of the
that require foundational information about a user, or are identifiers (2). The user then sends the set of signatures to the
able to associate different requests over time with the same authentication provider for future use (3).
user, are in a position to collect information beyond what Figure 6B depicts the new operating phase. First, the service
is strictly needed for the purpose of the operation. The sends a request to the user along with a new nonce (one-time
role of the authentication provider is to act as a neutral identifier) y corresponding to the request (4). The user then
channel that confers authority on certification providers, time- applies a blinding function to the nonce y, creating a blinded
shifts requests for credentials, and separates the certification nonce [y]. The user chooses one of the identifiers xi that she
providers from providers of services. Performing this function had generated during the setup phase and sends that identifier
does not require it to collect information about individual along with the blinded nonce [y] to the authentication provider
users at any point. (5). Provided that the signature on xi has not been revoked, the
3. Ensure that information given to service providers is not authentication provider confirms that it is valid by signing [y] and
shared with authentication providers. The user must be able to sending the signature to the user (6). The user in turn “unblinds”
credibly trust that his or her interaction with service providers the signature on y and sends the unblinded signature to the
must remain private. service provider (7). The use of blind signatures ensures that
the authentication provider cannot link what it sees to specific
The communication among the four parties that we propose can
interactions between the user and the service provider.
be done via simple, synchronous (e.g., HTTP) protocols that are
easily performed by smartphones and other mobile devices. The
cryptography handling public keys can be done using standard 4.6. Architectural Considerations
public-key-based technologies. To satisfy the constraints listed in section 3, all three process
steps (identification, authentication, and authorization) must be
4.5. Repositioning the User to Be in isolated from each other. Although our proposed architecture
introduces additional interaction and computation, we assert that
the Center the complexity of the proposed architecture is both parsimonious
Figure 6 shows how we can modify the system shown in Figure 5
and justified:
to achieve the three isolation objectives defined above. Here, we
introduce blind signatures (Chaum, 1983) to allow the user to 1. If the certification provider were the same as the service
present a verified signature without allowing the signer and the provider, then the user would be subject to direct control and
relying party to link the identity of the subject to the subject’s surveillance by that organization, violating Constraints 1, 3,
legitimate use of a service. and 5.

Frontiers in Blockchain | www.frontiersin.org 9 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

FIGURE 6 | A schematic representation of a digital identity system with a user-oriented approach. The new protocol uses user-generated identifiers and blind
signatures to isolate the authentication provider. The authentication provider cannot inject identifying information into the identifiers, nor can it associate the user with
the services that she requests. (A) Setup phase. (B) Operating phase.

2. If the authentication provider were the same as the decentralized. Recall that the system relies critically upon the
certification provider, then the user would have no choice ability of an certification provider to revoke credentials issued
but to return to the same organization each time it requests to users, and authentication providers need a way to learn
a service, violating Constraints 1 and 4. That organization from the certification provider whether a credential in question
would then be positioned to discern patterns in its activity, has been revoked. Online registries such as OCSP (Juniper
violating Constraints 3 and 5. There would be no separate Networks, 2018), which are operated by a certification provider
authentication provider to face competition for its services as or trusted authority, are a common way to address this problem,
distinct from the certification services, violating Constraint 6. although the need for third-party trust violates Constraint 1.
3. If the authentication provider were the same as the service The issue associated with requiring each authentication provider
provider, then the service provider would be positioned to to establish its own judgment of each candidate certification
compel the user to use a particular certification provider, provider is a business problem rather than a technical one.
violating Constraints 1 and 4. The service provider could also Hierarchical trust relationships emerge because relationships
impose constraints upon what a certification provider might are expensive to maintain and introduce risks; all else being
reveal about an individual, violating Constraint 3, or how the equal, business owners prefer to have fewer of them. Considered
certification provider establishes the identity of individuals, in this context, concentration and lack of competition among
violating Constraint 8. authentication providers makes sense. If one or a small
4. If the user could not generate her own identifiers, then the number of authentication providers have already established
certification provider could generate identifiers that reveal relationships with a broad set of certification providers, just as
information about the user, violating Constraint 3. payment networks such as Visa and Mastercard have done with
5. If the user were not to use blind signatures to protect the a broad set of banks, then the cost to a certification provider
requests from service providers, then service providers and of a relationship with a new authentication provider would
authentication providers could compare notes to discern become a barrier of entry to new authentication providers.
patterns of a user’s activity, violating Constraint 5. The market for authentication could fall under the control of a
monopoly or cartel.
The proposed architecture does not achieve its objectives if either
the certification provider or the service provider colludes with
the authentication provider; we assume that effective institutional 5.1. Introducing Distributed Ledger
policy will complement appropriate technology to ensure that
Technology
sensitive data are not shared in a manner that would compromise
We propose using distributed ledger technology (DLT) to
the interests of the user.
allow both certification providers and authentication providers
to proliferate whilst avoiding industry concentration. The
5. A DECENTRALIZED IDENTITY distributed ledger would serve as a standard way for certification
ARCHITECTURE providers to establish relationships with any or all of the
authentication providers at once, or vice-versa. The ledger
A significant problem remains with the design described itself would be a mechanism for distributing signatures and
in section 4.5 in that it requires O(n2 ) relationships among revocations; it would be shared by participants and not controlled
authentication providers and certification providers (i.e., by any single party. Figure 7 shows that users would not
with each authentication provider connected directly to interact with the distributed ledger directly but via their
each certification provider that it considers valid) to be truly chosen certification providers and authentication providers.

Frontiers in Blockchain | www.frontiersin.org 10 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

the effectiveness of the system in protecting the privacy of an

individual user with that credential, depends upon the generality
of the category. We would encourage certification authorities to
assign categories that are as large as possible. We would also
assume that the official set of signing keys used by certification
providers and authentication providers is also maintained on the
ledger, as doing so would ensure that all users of the system have
the same view of which keys the various certification providers
and authentication providers are using.

FIGURE 7 | A schematic representation of a decentralized identity system with 5.2. Achieving Decentralization With a
a distributed ledger. The user is not required to interact directly with the Distributed Ledger
distributed ledger (represented by a dashed circle) and can rely upon the
Figure 8 shows how the modified architecture with the
services offered by certification providers and authentication providers.
distributed ledger technology would work. Figure 8A shows
the setup phase. The first two messages from the user to the
certification provider are similar to their counterparts in the
Additionally, users would not be bound to use any particular protocol shown in Figure 6A. However, now the user also
authentication provider when verifying a particular credential generates n asymmetric key pairs (xi , xi∗ ), where xi is the public
and could even use a different authentication provider each time. key and xi∗ is the private key of pair i, and it sends each public
Provided that the community of participants in the distributed key x1 , ..., xn to the certification provider (1). Then, rather than
ledger remains sufficiently diverse, the locus of control would not sending the signed messages to the authentication provider via
be concentrated within any particular group or context, and the the user, the certification provider then instead writes the signed
market for authentication can remain competitive. certificates directly to the distributed ledger (2). Importantly, the
Because the distributed ledger architecture inherently certificates would not contain any metadata but only the public
does not require each new certification provider to establish key xi and its bare signature; eliminating metadata is necessary to
relationships with all relevant authentication providers, ensure that there is no channel by which a certification provider
or vice-versa, it facilitates the entry of new authentication might inject information that might be later used to identify a
providers and certification providers, thus allowing the user. Figure 8B shows the operating phase, which begins when
possibility of decentralization. a service provider asks a user to authenticate and provides some
We argue that a distributed ledger is an appropriate nonce y as part of the request.
technology to maintain the authoritative record of which The certification provider can revoke certificates simply by
credentials have been issued (or revoked) and which transactions transacting on the distributed ledger and without interacting
have taken place. We do not trust any specific third party to with the authentication provider at all. Because the user and
manage the list of official records, and we would need the the authentication provider are no longer assumed to mutually
system to be robust in the event that a substantial fraction of trust one another, the user must now prove to the authentication
its constituent parts are compromised. The distributed ledger provider that the user holds the private key xi∗ when the user asks
can potentially take many forms, including but not limited to the authentication provider to sign the blinded nonce [y] (4). At
blockchain, and, although a variety of fault-tolerant consensus this point we assume that the authentication provider maintains
algorithms may be appropriate, we assume that the set of node its own copy of the distributed ledger and has been receiving
operators is well-known, a characteristic that we believe might be updates. The authentication provider then refers to its copy of
needed to ensure appropriate governance. the distributed ledger to determine whether a credential has been
If implemented correctly at the system level, the use of a revoked, either because the certification provider revoked a single
distributed ledger can ensure that the communication between credential or because the certification provider revoked its own
the certification provider and the authentication provider is signing key. Provided that the credential has not been revoked,
limited to that which is written on the ledger. If all blind the authentication provider signs the blinded nonce [y] (5), which
signatures are done without including any accompanying the user then unblinds and sends to the service provider (6). The
metadata, and as long as the individual user does not reveal following messages are carried out as they are done in Figure 6B.
which blind signature on the ledger corresponds to the unblinded We assume that each certification provider and authentication
signature that he or she is presenting to the authentication provider has a distinct signing key for credentials representing
provider for approval, then nothing on the ledger will reveal any each possible policy attribute, and we further assume that each
information about the individual persons who are the subjects possible policy attribute admits for a sufficiently large anonymity
of the certificates. We assume that the certification authorities set to not identify the user, as described in section 5.1. A
would have a limited and well-known set of public keys that they policy might consist of the union of a set of attributes, and
would use to sign credentials, with each key corresponding to because users could prevent arbitrary subsets of the attributes
the category of individual persons who have a specific attribute. to authentication providers and service providers, we believe
The size of the anonymity set for aa credential, and therefore that in most cases it would not be practical to structure policy

Frontiers in Blockchain | www.frontiersin.org 11 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

from different issuers, whose combination would restrict the

anonymity set to an extent that would potentially reveal the
identity of the user.

5.3. Operating the System Offline

The proposed approach can also be adapted to work offline,
specifically when a user does not have access to an Internet-
connected authentication provider at the time that it requests
a service from a service provider. This situation applies to
two cases: first, in which the authentication provider has only
intermittent access to its distributed ledger peers (perhaps
because the authentication provider has only intermittent access
to the Internet), and second, in which the user does not have
access to the authentication provider (perhaps because the
user does not have access to the Internet) at the time that it
requests a service.
In the first case, note that the use of a distributed ledger allows
the authentication provider to avoid the need to send a query in
real-time6 . If the authentication provider is disconnected from
the network, then it can use its most recent version of the
distributed ledger to check for revocation. If the authentication
provider is satisfied that the record is sufficiently recent, then
it can sign the record with a key that is frequently rotated
to indicate its timeliness, which we shall denote by APT . We
presume that APT is irrevocable but valid for a limited time only.
If the authentication provider is disconnected from its distributed
ledger peers but still connected to the network with the service
provider, then it can still sign a nonce from the service provider
as usual.
In the second case, however, although the user is disconnected
from the network, the service provider still requires an indication
of the timeliness of the authentication provider’s signature. The
generalized solution is to adapt the operating phase of the
protocol as illustrated by Figure 8C. Here, we assume that the
user knows in advance that she intends to request a service at
some point in the near future, so she sends the request to the
authentication provider pre-emptively, along with a one-time
identifier ui (3). Then, the authentication provider verifies the
identifier via the ledger and signs the one-time identifier ui with
the time-specific key APT (4). Later, when the service provider
requests authorization (5), the user responds with the signed
one-time identifier that it had obtained from the authentication
provider (6). In this protocol, the service provider also has a new
responsibility, which is to keep track of one-time identifiers to
FIGURE 8 | A schematic representation of one possible decentralized digital
ensure that there is no duplication.
identity system using a distributed ledger. Diagrams (A,B) show the setup and
operating phases for an initial sketch of our design, which uses a distributed
ledger to promote a scalable marketplace that allows users to choose 5.4. Achieving Unlinkability With Blinded
certification providers and authentication providers that suit their needs. Credentials
Diagram (C) shows a variation of the operating phase that can be used in an
offline context, in which the user might not be able to communicate with an
Unfortunately, the architecture described in sections 5.2 and 5.3
up-to-date authentication provider and the service provider at the same time. has an important weakness as a result of its reliance on the
revocation of user credentials. Because the credential that an
certification provider posts to the ledger is specifically identified
by the user at the time that the user asks the authentication
attributes in such a manner that one attribute represents a provider to verify the credential, the certification provider may
qualification or restriction of another. Additionally, at a system
level, authentication providers and service providers must not 6 Not sending the query over the network may also improve the privacy of
require a set of attributes, either from the same issuer or the transaction.

Frontiers in Blockchain | www.frontiersin.org 12 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

credentials associated with a particular user, hence linking them

to each other.
For this reason, we recommend modifying to the protocol
to prevent this attack by using blinded credentials to improve
its metadata-resistance. Figure 9 shows how this would work.
Rather than sending the public keys xi directly to the certification
provider, the user sends blinded public keys [xi ], one for each
of a series of specific, agreed-upon time intervals (1). which
in turn would be signed by the certification provider using a
blind signature scheme that does not allow revocation (1). The
certification provider would not sign all of the public keys and
publish the certificates to the ledger immediately; instead, it
would sign them and post the certificates to the ledger at the
start of each time interval i, in each instance signing the user keys
with a key of its own specific to that time interval, CPi (2). If a
user expects to make multiple transactions per time interval and
desires those transactions to remain unlinked from each other,
the user may send multiple keys for each interval.
When the time comes for the user to request a service, the
user must demonstrate that it is the owner of the private key
corresponding to a (blinded) public key that had been signed
by the certification provider. So the user must first obtain the
set of all certificates signed by CPi , which it can obtain from
the authentication provider via a specific request, request-certs.
Then it can find the blind signature on [xi ] from the list and
unblind the signature to reveal CPi (xi ). It can then send this
signature to the authentication provider along with its proof of
ownership of xi∗ as before.
This version of the protocol is the one that we recommend
for most purposes. Although the request-certs exchange might
require the user to download a potentially large number of
certificates, such a requirement would hopefully indicate a large
anonymity set. In addition, there may be ways to mitigate
the burden associated by the volume of certificates loaded by
the client. For example, we might assume that the service
provider offers a high-bandwidth internet connection that
allows the user to request the certificates anonymously from
an authentication provider. Alternatively, we might consider
having the certification provider subdivide the anonymity set into
smaller sets using multiple well-known public keys rather than a
single CPi , or we might consider allowing an interactive protocol
between the user and the authentication provider in which the
user voluntarily opts to reduce her anonymity set, for example by
specifying a small fraction of the bits in [xi ] as a way to request
FIGURE 9 | A schematic representation of a metadata-resistant decentralized
only a subset of the certificates.
identity architecture. This version of the design represents our
recommendation for a generalized identity architecture. By writing only blinded
credentials to the ledger, this version extends the design shown in Figure 8 to
resist an attack in which the certification provider can expose linkages 5.5. Adapting the Design for Spending
between different credentials associated with the same user. Diagrams (A,B) Tokens
show the setup and operating phases, analogously to the online example
shown in Figure 8; Diagram (C) shows the corresponding offline variant.
The architecture defined in section 5.4 can also be adapted to
allow users to spend tokens on a one-time basis. This option
may be of particular interest for social and humanitarian services,
in which tokens to be used to purchase food, medicine, or
collude with individual authentication providers to determine essential services may be issued by a government authority or aid
when a user makes such requests. Even within the context of organization to a community at large. In such cases, the human
the protocol, an unscrupulous (or compromised, or coerced) rights constraints are particularly important. Figure 10 shows
certification provider may post revocation messages for all of the how a certification provider might work with an issuer of tokens

Frontiers in Blockchain | www.frontiersin.org 13 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

newly-generated public keys, along with any required identity

or credential information, to the certification provider (2). We
assume that the tokens are intended to be fungible, so the
certification provider issues n new, fungible tokens on the ledger
(3). We need not specify the details of how the second message
works in practice; depending upon the trust model for the ledger
it may be as simple as signing a statement incrementing the value
associated with the certification provider’s account, or it may be
a request to move tokens explicitly from one account to another.
Then, the certification provider signs a set of n messages, each
containing one of the blinded public keys, and sends them to
the user (4). The messages will function as promissory notes,
redeemable by the user that generated the keys, for control over
the tokens.
Figure 10B shows the operating phase. When a service
provider requests a token (5), the user sends a message to an
authentication provider demonstrating both that it has the right
to control the token issued by the certification provider and
that it wishes to sign the token over to the service provider
(6). The authentication provider, who never learns identifying
information about the user, lodges a transaction on the ledger that
assigns the rights associated with the token to the service provider
(7), generating a receipt (8). Once the transaction is complete, the
authentication provider shares a receipt with the user (9), which
the user may then share with the service provider (10), who may
now accept that the payment as complete.
Like the “main” architecture described in section 5.4, the
“token” architecture can also be configured to work in an offline
context by modifying the operating phase. Figure 10C shows
how this would work. The user requests from the authentication
provider one or more physical “objects”, which may take the
form of non-transferable electronic receipts or physical tokens,
that can be redeemed for services from the service provider (5).
The authentication provider sends the objects to the user (8),
who then redeems them with the service provider in a future
interaction (9, 10).

6. GOVERNANCE CONSIDERATIONS
An important challenge that remains with the distributed
ledger system described in section 5 is the management of
the organizations that participate in the consensus mechanism
of the distributed ledger. We believe that this will require
the careful coordination of local businesses and cooperatives
FIGURE 10 | A schematic representation of a decentralized identity to ensure that the system itself does not impose any non-
architecture for exchanging tokens. The protocol represented in this figure can
consensual trust relationships (Constraint 4), that no single
be used to allow users to pay for services privately. Diagrams (A,B) show the
setup and operating phases, analogously to the online example shown in market participant would gain dominance (Constraint 6), and
Figures 8, 9; Diagram (C) shows the corresponding offline variant. that participating businesses and cooperatives will be able to
continue to establish their own business practices and trust
relationships on their own terms (Constraint 7), even while
consenting to the decisions of the community of organizations
to issue spendable tokens to users, who may in turn represent participating in the shared ledger. We believe that our approach
themselves or organizations. will be enhanced by the establishment of a multi-stakeholder
Figure 10A shows the setup phase. We assume that the service process to develop the protocols by which the various parties
provider first tells the user that it will accept tokens issued by can interact, including but not limited to those needed to
the certification provider (1). The user then sends a set of n participate in the distributed ledger, and ultimately facilitate

Frontiers in Blockchain | www.frontiersin.org 14 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

a multiplicity of different implementations of the technology TABLE 3 | A categorization matrix for use cases.
needed to participate. Industry groups and regulators will still
Assert entitlements Spend tokens
need to address the important questions of determining the rules
Private sector Membership programmes Mobile communication
and participants. We surmize that various organizations, ranging services
from consulting firms to aid organizations, would be positioned Public sector Library access Public transportation
to offer guidance to community participants in the network, programme eligibility
without imposing new constraints.
We divide the universe of use cases into four categories based upon whether the purpose
is to assert entitlements or to spend tokens and upon whether the services in question
6.1. Open Standards are operated by the public sector or the private sector, and we include some examples.
The case for a common, industry-wide platform for exchanging
critical data via a distributed ledger is strong. Analogous
mechanisms have been successfully deployed in the financial a user would not be expected to bind the credentials to each
industry. Established mechanisms take the form of centrally- other in any way prior to their use. Such a binding would violate
managed cooperative platforms such as SWIFT (Society for Constraint 5 from section 3. In particular, given two credentials,
Worldwide Interbank Financial Telecommunication, 2018), there should be no way to know or prove that they were issued
which securely carries messages on behalf of financial markets to the same individual or device. This property is not shared by
participants, while others take the form of consensus-based some schemes for non-transferable anonymous credentials that
industry standards, such as the Electronic Data Interchange encourage users to bind together credentials to each other via a
(EDI) standards promulgated by X12 (The Accredited Standards master key or similar mechanism (Camenisch and Lysyanskaya,
Committee, 2018) and EDIFACT (United Nations Economic 2001) as described in section 2.2.
Commission for Europe, 2018). Distributed ledgers such as If it were possible to prove that two or more credentials
Ripple (2019) and Hyperledger (IBM, 2019) have been proposed were associated with the same identity, then an individual could
to complement or replace the existing mechanisms. be forced to associate a set of credentials with each other
For the digital identity infrastructure, we suggest that the inextricably, and even if an individual might be given an option to
most appropriate application for the distributed ledger system reveal only a subset of his or her credentials to a service provider
described in section 5 would be a technical standard for business at any given time, the possibility remains that an individual
transactions promulgated by a self-regulatory organization might be compelled to reveal the linkages between two or more
working concordantly with government regulators. A prime credentials. For example, the device that an individual uses might
example from the financial industry is best execution, exemplified be compromised, revealing the master key directly, which would
by Regulation NMS (Securities and Exchange Commission, be problematic if the same master key were used for many or all
2005), which led to the dismantling of a structural monopoly of the individual’s credentials. Alternatively, the individual might
in electronic equities trading in the United States7 . Although be coerced to prove that the same master key had been associated
the US Securities and Exchange Commission had the authority with two or more credentials.
to compel exchanges to participate in a national market system The system we describe explicitly does not seek to rely
since 1975, it was not until 30 years later that the SEC moved upon the ex ante binding together of credentials to achieve
to explicitly address the monopoly enjoyed by the New York non-transferability or for any other purpose. We suggest that
Stock Exchange (NYSE). The Order Protection Rule imposed by the specific desiderata and requirements for non-transferability
the 2005 regulation (Rule 611) “requir[ed] market participants might vary across use cases and can be addressed accordingly.
to honor the best prices displayed in the national market system Exogenous approaches to achieve non-transferability might
by automated trading centers, thus establishing a critical linkage have authentication providers require users to store credentials
framework” (Securities and Exchange Commission Historical using trusted escrow services or physical hardware with strong
Society, 2018). The monopoly was broken, NYSE member firms counterfeiting resistance such as two-factor authentication
became less profitable, and NYSE was ultimately bought by devices. Endogenous approaches might have authentication
Intercontinental Exchange in 2013 (Reuters, 2018). providers record the unblinded signatures on the ledger once
We believe that distributed ledgers offer a useful mechanism they are presented for inspection, such that multiple uses of the
by which self-regulatory organizations satisfy regulations same credential become explicitly bound to each other ex post
precisely intended to prevent the emergence of control points, or are disallowed entirely. Recall that the system assumes that
market concentration, or systems whose design reflects a conflict credentials are used once only and that certification providers
of interest between their operators and their users. would generate new credentials for individuals in limited batches,
for example at a certain rate over time.
6.2. No Master Keys, No Early-Binding
An important expectation implicit to the design of our system 7. USE CASES
is that users can establish and use as many identities as they
want, without restriction. This means not only that a user can We anticipate that there might be many potential use cases
choose which credentials to show to relying parties, but also that for a decentralized digital identity infrastructure that affords
users the ability to manage the linkages among their credentials.
7 See also MiFID, its European Union counterpart (European Parliament, 2004). Table 3 offers one view of how the use cases might be divided

Frontiers in Blockchain | www.frontiersin.org 15 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

into four categories on the basis of whether the purpose is a way to know that their customers have paid. Mobile phone
to assert entitlements or spend tokens and upon whether the service subscribers could have their devices present blinded
services in question are operated by the public sector or the tokens, obtained from issuers following purchases at sales
private sector. Use cases that involve asserting entitlements offices or via subscription plans, to cellular towers without
might include asserting membership of a club for the purpose revealing their specific identities, thus allowing them to avoid
of gaining access to facilities, accessing restricted resources, tracking over extended periods of time. Tokens might be
or demonstrating eligibility for a discount, perhaps on the valid for a limited amount of time such as an hour, and a
basis of age, disability, or financial hardship, at the point of customer would present a token to receive service for a limited
sale. Use cases that involve spending tokens can potentially time. System design considerations would presumably include
be disruptive, particularly in areas that generate personally tradeoffs between the degree of privacy and the efficiency of
identifiable information. We imagine that a decentralized digital mobile handoff between towers or time periods.
identity infrastructure that achieves the privacy requirements
We do not anticipate or claim that our system will be suitable for
would be deployed incrementally, whether general purpose
all purposes for which an individual might be required to present
or not. We suggest the following three use cases might be
electronic credentials. We would imagine that obtaining security
particularly appropriate because of their everyday nature, and
clearances or performing certain duties associated with public
might be a fine place to start:
office might explicitly require unitary identity. Certain activities
1. Access to libraries. Public libraries are particularly sensitive related to national security undertaken by ordinary persons,
to risks associated with surveillance (Zimmer and Tijerina, such as crossing international borders, might also fall into this
2018). The resources of a public library are the property category, although we argue that such use cases must be narrowly
of its constituency, and the users have a particular set of circumscribed to offer limited surveillance value through record
entitlements that have specific limitations in terms of time linkage. In particular, linking any strongly non-transferable
and quantity. Entitlement levels could be managed by having identifiers or credentials to the identities that individuals use
the issuer use a different signing key for each entitlement. for routine activities (such as social media, for example, or the
User limits could be enforced in several ways. One method use cases described above) would specifically compromise the
involves requiring a user to make a security deposit that is privacy rights of their subjects. Other application domains, such
released at the time that a resource has been returned and as those involving public health or access to medical records,
determined to be suitable for recirculation. Another method present specific complications that might require a different
involves requiring the library to check the ledger to verify design. Certain financial activities would require interacting
that a one-time credential has not already been used as a with regulated financial intermediaries who are subject to
precondition for providing the resource and requiring the user AML and KYC regulations, as mentioned in section 4.1. For
to purchase the right to a one-time credential that can only be this reason, achieving privacy for financial transactions might
re-issued upon return of the resource. require a different approach that operates with existing financial
2. Public transportation. It is possible to learn the habits, regulations (Goodell and Aste, 2019).
activities, and relationships of individuals by monitoring their
trips in an urban transportation system, and the need for a 8. CONCLUSIONS AND FUTURE WORK
system-level solution has been recognized (Heydt-Benjamin,
2006). Tokens for public transportation (for example, pay- We argue that the ability of individuals to create and
as-you-go or monthly bus tickets) could be purchased with maintain multiple unrelated identities is a fundamental,
cash in one instance and then spent over time with each trip inalienable human right. For the digital economy to
unlinkable to each of the others. This can be achieved by function while supporting this human right, individuals
having an issuer produce a set of one-time use blinded tokens must be able to control and limit what others can
in exchange for cash and having a user produce one token for learn about them over the course of their many
each subsequent trip. Time-limited services such as monthly interactions with services, including government and
travel passes could be issued in bulk, including a signature with institutional services.
a fixed expiration date providing a sufficiently large anonymity We have introduced a framework for an open digital
set. An issuer could also create tokens that might be used identity architecture that promotes the implementation of
multiple times, subject to the proviso that trips for which the identity architectures that satisfy constraints that we consider
same token is used could be linked. essential to the protection of human rights, and we believe
3. Wireless data service plans. Currently, many mobile devices that a combination of strong technology and thoughtful policy
such as phones contain unique identifiers that are linked to will be necessary to promote and ensure the implementation,
accounts by service providers and can be identified when deployment, and use of technology that satisfies them. We
devices connect to cellular towers (GSM Association, 2019). have elaborated eight requirements for technology infrastructure
However, it is not actually technically necessary for service and demonstrated that they can be achieved by means of
providers to know the particular towers to which a specific a decentralized architecture. Our framework does not seek
customer is connecting. For the data service business to be strong non-transferability via an early-binding approach, and
tenable, we suggest that what service providers really need is we argue that distributed ledgers can be used not only

Frontiers in Blockchain | www.frontiersin.org 16 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

to achieve the privacy objectives but also to deliver an and maintained over time, in a variety of different social and
alternative to strong non-transferability. We have identified business contexts.
challenges associated with scalability and governance, and we
have also demonstrated how tokens can be spent via such AUTHOR CONTRIBUTIONS
a system as well as how the system might be used in an
offline context. GG is the primary author he performed the research and
Future work may include formal analysis of the information wrote the paper. TA directed the research, edited the paper for
security properties of a system designed according to this citations, audience framing, language, and contextualization with
framework, as well as the development of a proof-of-concept existing literature.
implementation and a corresponding evaluation of the various
implementation tradeoffs relevant to different use cases. We ACKNOWLEDGMENTS
suggest that different use cases would entail significantly different
design choices. We thank Valerie Khan, Edgar Whitley, Paul Makin, and Oscar
The specific mechanism for fostering a community of King for their thoughtful insights. GG is also an associate
participating organizations will depend upon the relationship of the Centre for Technology and Global Affairs at the
between those organizations and the group that ultimately University of Oxford. We acknowledge the Engineering and
assumes the role of ensuring that the system does not impose Physical Sciences Research Council (EPSRC) for the BARAC
non-consensual trust relationships on its users. It must be noted project (EP/P031730/1) and the European Commission for the
that any system that puts control in the hands of end-users FinTech project (H2020-ICT-2018-2 825215). TA acknowledges
carries the burden of education, both for the well-functioning the Economic and Social Research Council (ESRC) for funding
of the system as well as for safeguarding its role in protecting the Systemic Risk Centre (ES/K0 02309/1). This manuscript
the public interest. Future research, therefore, must include case has been released as a Pre-Print at http://export.arxiv.org/pdf/
studies of how similar systems have been developed, deployed, 1902.08769.

REFERENCES Cryptographic Techniques (EUROCRYPT 2001: Advances in Cryptology), 93–

118. Available online at: https://eprint.iacr.org/2001/019.pdf (accessed July 25,
5Rights Foundation (2019). Available online at: https://5rightsfoundation.com/ 2019).
(accessed October 09, 2019). Camenisch, J., and Lysyanskaya, A. (2003). “A signature scheme with efficient
Abelson, H., Anderson, R., Bellovin, S., Benaloh, J., Blaze, M., Diffie, W., protocols.” in Lecture Notes in Computer Science, Vol. 2576 (Springer).
et al. (1997). The Risks of Key Recovery, Key Escrow, and Trusted Third- Available online at: http://rd.springer.com (accessed May 10, 2019).
Party Encryption. Available online at: https://academiccommons.columbia.edu Chainspace (2019). Available online at: https://chainspace.io/ (accessed October
(accessed March 11, 2019). 11, 2019).
Abelson, H., Anderson, R., Bellovin, S., Benaloh, J., Blaze, M., Diffie, W., Charette, R. (2016). “DigiNotar Certificate Authority Breach Crashes e-
et al. (2015). Keys under doormats: mandating insecurity by requiring Government in the Netherlands,” in IEEE Spectrum. Available online
government access to all data and communications. J. Cybersecur. 1, 69–79. at: https://spectrum.ieee.org/riskfactor/telecom/security/diginotar-certificate-
doi: 10.1093/cybsec/tyv009 authority-breach-crashes-egovernment-in-the-netherlands (accessed May 11,
Aitken, R. (2018). IBM Blockchain Joins Sovrin’s “Decentralized” Digital Identity 2018).
Network To Stem Fraud. Forbes. Available online at: https://www.forbes.com/ Chaum, D. (1983). Blind signatures for untraceable payments. Adv. Cryptol. Proc.
sites/rogeraitken/2018/04/05/ibm-blockchain-joins-sovrins-decentralized- Crypto 82, 199–203.
digital-identity-network-to-stem-fraud/ (accessed January 11, 2019). Chirgwin, R. (2016). Google publishes list of Certificate Authorities it doesn’t
Arduino (2019). Available online at: https://www.arduino.cc/ (accessed October trust. The Register Available online at: https://www.theregister.co.uk/2016/03/
11, 2019). 23/google_now_publishing_a_list_of_cas_it_doesnt_trust/ (accessed May 11,
Armer, P. (1975). Computer technology and surveillance. Comput. People 24, 8–11. 2018).
Benaloh, J. (2018). What if responsible encryption back-doors were possible? Douceur, J. (2002). “The Sybil Attack,” IPTPS ’01 Revised Papers from the First
Lawfare Blog. Available online at: https://www.lawfareblog.com/what-if- International Workshop on Peer-to-Peer Systems, 251–260. Available online at:
responsible-encryption-back-doors-were-possible (accessed December 11, https://www.freehaven.net/anonbib/cache/sybil.pdf (accessed May 11, 2018).
2018). Dunphy, P., and Petitcolas, F. (2018). A first look at identity management schemes
Better Business Finance (2017). What Are the AML and KYC Obligations of a on the blockchain. arXiv preprint arXiv:1801.03294v1.
Bank in the UK? Available online at: https://www.betterbusinessfinance.co.uk/ Eckersley, P. (2011). Electronic Frontier Foundation Technical Analysis. Available
aml-and-kyc/what-are-the-aml-and-kyc-obligations-of-a-bank-in-the-uk online at: https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-
(accessed May 28, 2017). fraudulent-https (accessed May 11, 2018).
Brandao, L, Christin, N, Danezis, G, and Anonymous. (2015). Toward mending Equifax Inc (2018). 2017 Cybersecurity Incident & Important Consumer
two nation-scale brokered identification systems. Proc. Privacy Enhanc. Information. Available online at: https://www.equifaxsecurity2017.com/
Technol. 2015, 135–155. doi: 10.1515/popets-2015-0022 (accessed May 11, 2018).
Bright, P. (2010). Gov’t, certificate authorities conspire to spy on SSL users? European Parliament (1999). Development of Surveillance Technology and Risk
Ars Technica. Available online at: https://web.archive.org/web/20171004131406 of Abuse of Economic Information. Luxembourg: Scientific and Technological
(accessed May 11, 2018). Options Assessment (STOA), PE 168.184/Vol 1/5/EN. Available online
Camenisch, J., and Lysyanskaya, A. (2001). “An efficient system for non- at: https://www.europarl.europa.eu/RegData/etudes/etudes/join/1999/
transferable anonymous credentials with optional anonymity revocation,” in 168184/DG-4-JOIN_ET%281999%29168184_EN.pdf (accessed October
Proceedings of the International Conference on the Theory and Applications of 11, 2019).

Frontiers in Blockchain | www.frontiersin.org 17 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

European Parliament (2004). Directive 2004/39/EC. Official Journal of the Juniper Networks (2018). Understanding Online Certificate Status Protocol.
European Union. Available online at: https://eur-lex.europa.eu/legal-content/ Available online at: https://www.juniper.net/documentation/en_US/junos/
EN/ALL/?uri=CELEX:02004L0039-20060428 (accessed October 01, 2019). topics/concept/certificate-ocsp-understanding.html (accessed May 11, 2018).
Everest (2019). Everest blockchain software for verified value exchange. Available Kaaniche, N., and Laurent, M. (2017). “A blockchain-based data usage auditing
online at: https://everest.org/ (accessed October 01, 2019). architecture with enhanced privacy and availability,” in IEEE 16th International
Evernym (2019). The Self-Sovereign Identity Company Available online at: Symposium on Network Computing and Applications (NCA). Available online at:
https://www.evernym.com/ (accessed October 09, 2019). https://ieeexplore.ieee.org/abstract/document/8171384/ (accessed January 11,
Field, M. (2019). The tiny UK start-up founded by UCL scientists now at the heart 2019).
of Facebook’s Libra currency. The Telegraph. Available online at: https://www. Kozlowska, H., Gershgorn, D., and Todd, S. (2018). The Cambridge Analytica
telegraph.co.uk/technology/2019/06/26/inside-tiny-london-start-up-heart- Scandal is Wildly Confusing. This Timeline Will Help. Quartz. Available online
facebooks-push-reinvent-world/ (accessed October 11, 2019). at: https://qz.com/1240039/the-cambridge-analytica-scandal-is-confusing-
Financial Action Task Force (FATF) (2018). The FATF Recommendations. Available this-timeline-will-help/ (accessed April 20, 2018).
online at: http://www.fatf-gafi.org/media/fatf/documents/recommendations/ Kuner, C., and Marelli, M. (2017). Handbook on Data Protection in Humanitarian
pdfs/FATF%20Recommendations%202012.pdf (accessed September 16, 2018). Action. Geneva: International Committee of the Red Cross. Available
Goodell, G., and Aste, T. (2018). Blockchain Technology for the Public Good: Design online at: https://www.icrc.org/en/publication/handbook-data-protection-
Constraints in a Human Rights Context. Open Access Government. Available humanitarian-action (accessed October 01, 2019).
online at: https://www.openaccessgovernment.org/blockchain-technology- Kushner, D. (2013). “The Real Story of Stuxnet,” in IEEE Spectrum Available
for-the-public-good-design-constraints-in-a-human-rights-context/44595/ online at: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Goodell, G., and Aste, T. (2019). Can cryptocurrencies preserve privacy and (accessed May 11, 2018).
comply with regulations? Front. Blockchain 2:4. doi: 10.3389/fbloc.2019.00004 Liu, S., Wei, J., and Li, C. (2008). Method and System for Implementing
Goodin, D. (2017a). Already on probation, Symantec issues more illegit HTTPS Authentication on Information Security. United States Patent Application
certificates. Ars Technica, Available online at: https://arstechnica.com/ US20080065895A1. Available online at: https://patents.google.com/patent/
information-technology/2017/01/already-on-probation-symantec-issues- US20080065895A1/en (accessed January 11, 2019).
more-illegit-https-certificates/ (accessed May 11, 2018). Lunden, I. (2018). Russia’s Telegram ban that knocked out 15M Google, Amazon
Goodin, D. (2017b). Flaw crippling millions of crypto keys is worse than IP addresses had a precedent in Zello. TechCrunch. Available online at: https://
first disclosed. Ars Technica. Available online at: https://arstechnica.com/ techcrunch.com/2018/04/17/russias-telegram-ban-that-knocked-out-15m-
information-technology/2017/11/flaw-crippling-millions-of-crypto-keys-is- google-amazon-ip-addresses-had-a-precedent-in-zello/ (accessed April 20,
worse-than-first-disclosed/ (accessed April 21, 2018). 2018).
Goodin, D. (2017c). Stuxnet-style code signing is more widespread than Lundkvist, C., Heck, R., Torstensson, J., Mitton, Z., and Sena, M. (2016). uPort:
anyone thought. Ars Technica. Available online at: https://arstechnica.com/ A Platform for Self-Sovereign Identity. Available online at: http://blockchainlab.
information-technology/2017/11/evasive-code-signed-malware-flourished- com/pdf/uPort_whitepaper_DRAFT20161020.pdf (accessed January 11, 2019).
before-stuxnet-and-still-does/ (accessed April 21, 2018). Mayo, E. (1945). “Hawthorne and the Western Electric Company” in The Social
GOV.UK (2014). Money Laundering Regulations: Who Needs to Register. Available Problems of an Industrial Civilization. Boston, MA: Division of Research,
online at: https://www.gov.uk/guidance/money-laundering-regulations-who- Harvard Business School. Available online at: http://www.practicesurvival.
needs-to-register (accessed May 28, 2017). com/wa_files/Hawthorne_20Studies_201924_20Elton_20Mayo.pdf (accessed
Government Digital Service (UK) (2018). GOV.UK Verify: Guidance. Available January 06, 2019).
online at: https://www.gov.uk/government/publications/introducing-govuk- Moon, M. (2017). Estonia freezes resident ID cards due to security flaw.
verify/introducing-govuk-verify (accessed Febuary 15, 2019). Engadget. Available online at: https://www.engadget.com/2017/11/04/estonia-
Graglia, M., Mellon, C., and Robustelli, T. (2018). The nail finds a hammer: freezes-resident-id-cards-security-flaw/ (accessed April 21, 2018).
self-sovereign identity, design principles, and property rights in the developing O’Hara, K., Whitley, E., and Whittall, P. (2011). Avoiding the jigsaw effect:
world. New America Available online at: https://www.newamerica.org/future- experiences with ministry of justice reoffending data. Monograph. Available
property-rights/reports/nail-finds-hammer/exploring-three-platforms- online at: https://eprints.soton.ac.uk/273072/1/AVOIDING%2520THE
through-the-principles/ (accessed October 10, 2019). %2520JIGSAW%2520EFFECT.pdf (accessed July 26, 2018).
GSM Association (2019). IMEI Database. Available online at: https://imeidb.gsma. Pandya, J. (2019). Hacking Our identity: the emerging threats from biometric
com/imei/index (accessed October 11, 2019). technology. Forbes. Available online at: https://www.forbes.com/sites/
Heath, A. (2019). Facebook makes first blockchain acquisition with chainspace: cognitiveworld/2019/03/09/hacking-our-identity-the-emerging-threats-
sources. Cheddar, Inc. Available online at: https://cheddar.com/media/ from-biometric-technology/ (accessed October 09, 2019).
facebook-blockchain-acquisition-chainspace (accessed Febuary 05, 2019). Parliament of Australia (2018). Telecommunications and Other Legislation
Heydt-Benjamin, T., Chae, H., Defend, B., and Fu, K. (2006). “Privacy for public Amendment (Assistance and Access) Bill 2018. Available online at: https://www.
transportation.” in International Workshop on Privacy Enhancing Technologies aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/
(PETS), 1–19. [online] Available online at: https://petsymposium.org/2006/ Result?bId=r6195 (accessed October 01, 2019).
preproc/preproc_01.pdf (accessed October 05, 2019). Parliament of the United Kingdom (2016). Investigatory Powers Bill: Committee
IBM (2019). Hyperledger: Blockchain Collaboration Changing the Business Stage Report. House of Commons Library (Commons Briefing papers
World. Available online at: https://www.ibm.com/blockchain/hyperledger.html CBP-7578). Available online at: https://researchbriefings.parliament.uk/
(accessed January 11, 2019). ResearchBriefing/Summary/CBP-7578 (accessed October 09, 2019).
IBM Research Zurich (2018). IBM Identity Mixer. [online] Available online at: Privacy International (2019). Identity. Available online at: https://
https://www.zurich.ibm.com/identity_mixer/ (accessed April 21, 2018). privacyinternational.org/topics/identity (accessed October 01, 2019)
ID2020 (2019). Digital Identity Alliance. Available online at: https://id2020.org/ Ramakrishnan, K., and Selvarajan, R. (2017). Transforming the Telecom Value
(accessed October 09, 2019). Chain with Platformization. TATA Consultancy Services White Paper.
ID2020 Alliance (2019). ID2020 Alliance launches digital ID program with Available online at: https://www.tcs.com/content/dam/tcs/pdf/Industries/
Government of Bangladesh and Gavi, announces new partners at annual communication-media-and-technology/Abstract/Transforming%20the
summit. PR Newswire. Available online at: https://www.prnewswire. %20Telecom%20Value%20Chain%20with%20Platformization.pdf (accessed
com/news-releases/id2020-alliance-launches-digital-id-program-with- January 11, 2019).
government-of-bangladesh-and-gavi-announces-new-partners-at-annual- Reuters (2018). ICE completes takeover of NYSE. Available online at: https://www.
summit-300921926.html (accessed October 11, 2019). reuters.com/article/us-ice-nyse-sprecher/ice-completes-takeover-of-nyse-
International Telecommunications Union (2018). Digital Identity Roadmap Guide, idUSBRE9AB16V20131112 (accessed April 19, 2018).
Available online at: http://handle.itu.int/11.1002/pub/81215cb9-en (accessed Riley, S. (2006). It’s Me, and Here’s My Proof: Why Identity and Authentication Must
October 01, 2019). Remain Distinct. Microsoft TechNet Security Viewpoint. Available online at:

Frontiers in Blockchain | www.frontiersin.org 18 November 2019 | Volume 2 | Article 17

Goodell and Aste A Decentralized Digital Identity Architecture

https://technet.microsoft.com/en-us/library/cc512578.aspx (accessed May 11, Thomas, T. (2009). Joint watermarking scheme for multiparty multilevel
2018). DRM architecture. IEEE Trans. Inform. Forensics Secur. 4, 758–767.
Ripple (2019). One Frictionless Experience to Send Money Globally. Available online doi: 10.1109/TIFS.2009.2033229
at: https://ripple.com/ (accessed January 11, 2019). Tobin, A., and Reed, D. (2016). The inevitable rise of self-sovereign identity. The
Rohingya Project (2019). Unlocking Potential. Available online at: Sovrin Foundation. Available online at: https://sovrin.org/wp-content/uploads/
http://rohingyaproject.com/ (accessed June 05, 2019). 2017/06/The-Inevitable-Rise-of-Self-Sovereign-Identity.pdf (accessed January
Savov, V. (2018). Russia’s Telegram ban is a big, convoluted mess. The Verge. 11, 2019).
Available online at: https://www.theverge.com/2018/4/17/17246150/telegram- Tully, M. (2017). The problem with Aadhaar cards is the way they are being
russia-ban (accessed April 20, 2018). pushed by the State. Hindustan Times. Available online at: https://www.
SecureKey Technologies, Inc (2015). Trust Framework – SecureKey Concierge in hindustantimes.com/analysis/the-problem-with-aadhaar-cards-is-the-way-
Canada, SKUN-117. Available online at: http://securekey.com/wp-content/ they-are-being-pushed-by-the-state/story-RTlWUXgF3ck4rsoN1zKXUI.
uploads/2015/09/SK-UN117-Trust-Framework-SecureKey-Concierge- html (accessed April 21, 2018).
Canada.pdf (accessed May 11, 2018). United Nations (1948). Universal Declaration of Human Rights. General Assembly
Securities and Exchange Commission (US) (2005). REGULATION NMS. 17 CFR Resolution 217 A, Paris. Available online at: http://www.ohchr.org/EN/UDHR/
PARTS 200, 201, 230, 240, 242, 249, and 270; Release No. 34-51808; File No. Documents/UDHR_Translations/eng.pdf (accessed October 11, 2019).
S7-10-04, RIN 3235-AJ18. Available online at: https://www.sec.gov/rules/final/ United Nations Economic Commission for Europe (2018). Trade Programme
34-51808.pdf (accessed January 30, 2019). – Trade – UNECE. Available online at: http://www.unece.org/tradewelcome/
Securities and Exchange Commission Historical Society (2018). 2000s: Timeline. trade-programme.html (accessed April 21, 2018).
[online] Available online at: http://www.sechistorical.org/museum/timeline/ Value Chain Dynamics Working Group (VCDWG) (2005). Value Chain Dynamics
2000-timeline.php (accessed April 19, 2018). in the Communication Industry. MIT Communications Futures Program and
Shuhaimi, N., and Juhana, T. (2012). “Security in vehicular ad-hoc network Cambridge University Communications Research Network. Available online at:
with Identity-Based Cryptography approach: a survey,” in 7th International http://cfp.mit.edu/docs/core-edge-dec2005.pdf (accessed January 11, 2019).
Conference on Telecommunication Systems, Services, and Applications (TSSA). Vanderburg, E. (2018). A certified lack of confidence: the threat of Rogue
Available online at: http://ieeexplore.ieee.org/abstract/document/6366067/ Certificate authorities. TCDI Blog. Available online at: https://www.tcdi.com/
(accessed January 11, 2019). the-threat-of-rogue-certificate-authorities/ (accessed May 11, 2018).
SITA (2016). Travel Identity of the Future – White Paper. ShoCard. Available Wagner, R. (2014). Identity and access management 2020. ISSA J. 12, 26–30.
online at: https://shocard.com/wp-content/uploads/2016/11/travel-identity- Waldman, P., Chapman, L., and Robertson, J. (2018). Palantir knows everything
of-the-future.pdf (accessed January 11, 2019). about you. Bloomberg. Available online at: https://www.bloomberg.com/
Slashdot (2014). School Tricks Pupils Into Installing a Root CA. Available online at: features/2018-palantir-peter-thiel/ (accessed April 19, 2018).
https://news.slashdot.org/story/14/03/09/0225224/school-tricks-pupils-into- Whitley, E. (2018). Trusted Digital Identity Provision: GOV.UK Verify’s
installing-a-root-ca (accessed May 11, 2018). Federated Approach. Center for Global Development Policy Paper 131.
Society for Worldwide Interbank Financial Telecommunication (2018). Discover Available online at: https://www.cgdev.org/sites/default/files/Trusted-Digital-
SWIFT. Available online at: https://www.swift.com/about-us/discover-swift ID-Provision-govuk.pdf (accessed Febuary 15, 2019).
(accessed April 21, 2018). Wilcox-O’Hearn, Z. (2018). Names: Decentralized, Secure, Human-Meaningful:
Software in the Public Interest, Inc (2019). Debian: The Universal Operating System. Choose Two. Available online at: https://web.archive.org/web/20011020191610/
Available online at: https://www.debian.org/ (accessed October 11, 2019). http://zooko.com/distnames.html (accessed April 21, 2018).
Sonnino, A., et al. (2018). Coconut: threshold issuance selective disclosure Zimmer, M., and Tijerina, B. (2018). Library Values & Privacy in
credentials with applications to distributed ledgers. arXiv preprint Our National Digital Strategies: Field Guides, Convenings, and
arXiv:1802.07344v3. Conversations. National Leadership Grant for Libraries Award Report.
Stevens, L. (2018). “Self-sovereign identity systems for humanitarian Milwaukee, WI. Available online at: https://www.michaelzimmer.org/
interventions,” in Working Paper. Available online at: https://pdfs. 2018/08/02/project-report-library-values-privacy/ (accessed October
semanticscholar.org/f821/4975160857f1f020ff8dbc2db65f88fcac03.pdf 05, 2019).
(accessed October 01, 2019). Zuboff, S. (2015). Big Other: surveillance capitalism and the prospects of
Stiegler, M. (2005). An Introduction to Petname Systems. Available online at: http:// an information civilization. J. Inform. Technol. 30, 75–89. doi: 10.1057/jit.
www.skyhunter.com/marcs/petnames/IntroPetNames.html (accessed May 11, 2015.5
2018).
Thackston, J. (2018). System and Method for Verifying User Identity in a Virtual Conflict of Interest: The authors declare that the research was conducted in the
Environment. US Patent Grant US10153901B2. Available online at: https:// absence of any commercial or financial relationships that could be construed as a
patents.google.com/patent/US10153901B2/en (accessed January 11, 2019). potential conflict of interest.
The Accredited Standards Committee (2018). ASC X12. Available online
at: https://web.archive.org/web/20140927153741/http://www.x12.org/x12org/ Copyright © 2019 Goodell and Aste. This is an open-access article distributed
about/index.cfm (accessed April 21, 2018). under the terms of the Creative Commons Attribution License (CC BY). The
The World Bank (2019). Identification for Development. Available online at: https:// use, distribution or reproduction in other forums is permitted, provided the
id4d.worldbank.org/ (accessed October 09, 2019). original author(s) and the copyright owner(s) are credited and that the original
Thevoz, P. (2016). Diving into a ‘Digital Country’: e-Estonia. Medium. publication in this journal is cited, in accordance with accepted academic practice.
Available online at: https://medium.com/@PhilippeThevoz/diving-into-a- No use, distribution or reproduction is permitted which does not comply with these
digital-country-e-estonia-af561925c95e (accessed April 21, 2018). terms.

Frontiers in Blockchain | www.frontiersin.org 19 November 2019 | Volume 2 | Article 17